Recipe11.9.Script: Mass Admin Password Changer | Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 11.9. Script: Mass Admin Password Changer

What do you do when someone leaves your company that knows the administrator passwords for your systems? Do you go to all of your servers and change the passwords? You should. Do you periodically change all the administrator passwords on your systems by hand? That's where this script comes in handy. All you need is a text file that contains a list of servers, set the new password in the code, and run the script with an account that has administrative privileges on those servers. This way you can quickly change the administration password on a bunch of servers.

Here is the code:

Option Explicit On Error Resume Next     Dim strServerList : strServerList = "c:\servers.txt" Dim strServerPass : strServerPass = "c:\pass.txt" Dim strServerFail : strServerFail = "c:\fail.txt"     Dim strAdminAccount : strAdminAccount = "administrator" Dim strNewPassword : strNewPassword   = "My!New!Password"     Dim objFSO, objServersFile, objPassFile, objFailFile Set objFSO  = CreateObject("Scripting.FileSystemObject") Set objServersFile = objFSO.OpenTextFile(strServerList) Set objPassFile    = objFSO.CreateTextFile(strServerPass) Set objFailFile    = objFSO.CreateTextFile(strServerFail)     Do While not objServersFile.AtEndOfStream      Dim strServer : strServer = objServersFile.ReadLine      Dim objAdmin      Set objAdmin = GetObject("WinNT://" & strServer & "/" _                     & strAdminAccount & ",user")      if Err then         objFailFile.WriteLine strServer & " failed: " & Err.Description         Err.Clear      else         objAdmin.SetPassword strNewPassword         objAdmin.SetInfo         if Err then            objFailFile.WriteLine strServer & " failed: " & Err.Description            Err.Clear         else            objPassFile.WriteLine strServer & " successful"         end if      end if Loop     WScript.Echo "Complete."     ' Close open files objServersFile.close objFailFile.close objPassFile.close

The code is pretty straightforward, but if you'd rather piece together a long command line, I may be able to help there as well. I'm now going to present three different commands that do essentially the same thing as the script, except each pulls the list of servers to change the password on from a different source. They all use the Sysinternals pspasswd command to remotely change passwords.

The first does exactly what the script does by iterating over a list of servers in a text file (called c:\servers.txt):

> for /f %v in (c:\servers.txt) do pspasswd \\%v -u administrator -p <Current> <New>

If you want to change the password on just a handful of servers, you may not want to create a text file. With the following command, you can specify the list of hosts:

for %v in (localhost,srv01,srv02) do pspasswd \\%v -u administrator -p <Current> <New>

Lastly, you may want to pull your list of servers from Active Directory. The following command iterates over all the computers contained in the cn=Computers container in the dc=rallencorp,dc=com domain while running on a Windows Server 2003 computer:

for /f "usebackq" %v in (`dsquery computer "cn=computers,dc=rallencorp,dc=com"  - limit 0 -o rdn`) do pspasswd \\%~v -u administrator -p <Current> <New>

Don't Know Your Administrator Passwords

Upon reading this recipe, one of the technical reviewers for this book, Joe Richards, stated the following:

Actually, no one should use or know the passwords for the built-in accounts, they should be randomly set to some value greater than 14 characters that are near impossible to memorize and then stuffed into envelopes that are kept in some big pain in the neck manager's office. People should be using their own accounts for everything. Then you simply monitor password ages to make sure they don't change when you don't expect. Every 90 days, sweep through and change the passwords via a script and notify the security manager. If you are confident in the length of the password for brute force cracking then don't even worry about changing it every 90 days. However if you do that, it might be worth watching the last logon time in the script that monitors password age. In one company, the domain administration passwords were 50 random characters, set, tested, and stuffed in an envelope. Each domain had a different password. The procedure was that if someone needed the password it would be changed again that same day. In four or so years, the envelopes were never touched.